A honeypot is an information system resource that is set up to attract and trap individuals who attempt to penetrate an organization’s network. It has no authorized activity and does not have any production value. Any traffic to it is likely to be a probe, attack, or compromise. A honeypot can log port access attempts or monitor an attacker’s keystrokes, providing early warnings of a more concerted attack.
Honeypots can be classified based on their design criteria, deployment strategy, and deception technology.
Based on design criteria, honeypots can be classified into three types:
Low-interaction Honeypots: These honeypots simulate only a limited number of services and applications of a target system or network.
Medium-interaction Honeypots: These honeypots simulate a real operating system, applications, and services of a target network.
High-interaction Honeypots: These honeypots simulate all services and applications of a target network.
Based on deployment strategy, honeypots can be classified into two types:
- Production Honeypots: These honeypots are deployed inside the production network of the organization along with other production servers. As they are deployed internally, they also help to find out internal flaws and attackers within an organization.
- Research Honeypots: These honeypots are high-interaction honeypots primarily deployed by research institutes, governments, or military organizations to gain detailed knowledge about the actions of intruders.
Based on deception technology, honeypots can be classified into several types:
Malware Honeypots: These honeypots are used to trap malware campaigns or malware attempts over the network infrastructure.
Database Honeypots: These honeypots employ fake databases that are vulnerable to perform database-related attacks such as SQL injection and database enumeration.
Spam Honeypots: These honeypots specifically target spammers who abuse vulnerable resources such as open mail relays and open proxies.
Email Honeypots: These honeypots are fake email addresses that are specifically used to attract fake and malicious emails from adversaries.
Spider Honeypots: These honeypots are specifically designed to trap web crawlers and spiders.
Honeynets: Networks of honeypots which are very effective in determining the entire capabilities of the adversaries.
In terms of tools, [HoneyBOT](Source: https://www.atomicsoftwaresolutions.com) is a medium interaction honeypot for windows. It is an easy-to-use solution that is ideal for network security research. Other popular honeypot tools include KFSensor, MongoDB-HoneyProxy, Modern Honey Network, ESPot, and HoneyPy.
Some additional honeypot tools are listed below:
We hope this blog has provided a good overview of what a honeypot is and how it can be used in different scenarios. As always, please feel free to reach out to us with any questions or comments. Happy honeypotting!